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Alarm Recovery System and method for Fuel Cell Testing Systems 
Priority Claim 

[0001] Tills application Is a continuation-in-part of U.S. Application No. 
10/244,609 (filed on September 17, 2002). the entire contents of which are 
hereby incorporated by reference. Furthermore, a priority claim is made to 
5 U.S. Provisional Application No. 60/463.313 (filed on April 17, 2003), the 
entire contents of which are also hereby Incorporated by reference. 
Field of the invention 

[0002] The invention relates to fuel cell testing systems, and, in 
particular to an alarm recovery system and method for fuel cell testing 
10 systems. 

Background of the Invention 

[0003] Fuel cells convert chemical energy of fuels into electricity. In 
some types of fuel cells hydrogen and an oxidant are used as the basic fuels 
In a set of complementary chemical reactions yielding electricity as one 
15 product. Theoretically, the only products of such reactions are electricity, heat 
and water. In reality, a number of practical factors affect the efficiency of the 
reactions, and, as a consequence, other undesirable by-products are also 
produced. 

[0004] The development of a fuel cell requires rigorous testing to 
20 ensure that all of the reaction products produced can be predictably regulated 
during the foreseen operation of the fuel cell. Several testing systems have 
been developed for this purpose. An exemplary testing system is provided in 
U.S. Application No. 10/244,609, which was incorporated by reference above. 
This testing system can be used to carry out trials during which process and 
25 operating parameters for a fuel cell are purposefully varied to mirror foreseen 
use and abuse. 

[0005] A long-term trial may be stopped short due to breached alarm 
thresholds built into a testing system's safety controls. If one of the alarm 
thresholds is crossed during a trial a safety control mechanism included in the 



testing system may act to terminate the trial, even though corrective action 
may reverse alarm conditions in some scenarios. Such stoppages can 
severely slow down progress during the development of a fuel cell design 
and/or other systems concurrently being deigned to co-operate with it. 
5 Summary of the invention 

[0006] According to an aspect of an embodiment of the Invention there 
is provided an fuel cell testing system having: a safety system for monitoring 
at least one process and operating parameter during a fuel cell testing trial 
and evaluating whether at least one alarm threshold has been violated by the 

10 at least one process and operating parameter; a computer usable medium 
having computer readable code means embodied therein for causing the 
safety system to suspend the fuel cell testing trial when said at least one 
alarm threshold has been violated and subsequently to initiate a 
corresponding alarm recovery sequence for a violated alarm threshold; and 

15 Instructions for recording and evaluating measured process and operating 
parameters in order to determine whether said at least one alarm threshold 
has been violated. 

[0007] According to another aspect of the invention there is provided a 
method of controlling a fuel cell testing trial having the steps of: measuring at 
20 least one process and operating parameter of a fuel cell under test; evaluating 
the at least one process and operating parameter to determine whether at 
least one alarm threshold has been violated by said at least one process and 
operating parameter; suspending the fuel cell testing trial if at least one alarm 
threshold has been violated; and Initiating an alarm recovery sequence. 

25 [0008] Other aspects and features of the present invention will become 
apparent, to those ordinarily skilled in the art, upon review of the following 
description of the specific embodiments of the invention. 

Brief descript ion of the drawings 

[0009] Preferred embodiments of the invention will now be described 
30 with reference to the attached drawings in which: 
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[0010] Figure 1 is a simplified schematic drawing of a fuel cell module; 

[0011] Figure 2 is a simplified schematic drawing of a fuel cell testing 
system in combination with the fuel cell module shown in Figure 1 ; 

[0012] Figure 3 is a flow chart depicting the general steps provided in a 
5 first modified safety program according to one embodiment of the invention; 

[0013] Figure 4 is a flow chart depicting the general steps provided in a 
second modified safety program according to another embodiment of the 
invention; and 

[0014] Figure 5 is a flow chart depicting a very specific example of an 

10 alarm recovery sequence in accordance with an embodiment of the invention. 



Detailed description of the invention 

[0015] Shutting down a fuel cell testing system during a trial may, in 
some instances, be unnecessary and corrective action may be possible to 

15 bring the process and operating parameters, which violated a particular alarm 
threshold, back to within a safe operating range. A trail may be either a fuel 
cell test condition that is allowed to run steady state or it may be an 
automation test sequence that puts the fuel cell through a programmed set of 
operating conditions. In some embodiments of the invention there is provided 

20 a modified safety system that can interrupt and suspend a trial when an alarm 
threshold has been violated and initiate a corresponding alarm recovery 
sequence to bring a fuel cell under test and/or the fuel cell testing system 
back to within a safe operating range. In some embodiments, if the modified 
safety system determines that the alarm recovery sequence was not effective, 

25 emergency shutdown of the testing system is initiated. In other embodiments, 
further alarm recovery sequences may be initiated before emergency 
shutdown of the testing system is commenced. On the other hand, in some 
embodiments, the suspended trial is restarted if the alarm recovery sequence 
was deemed to be effective. The present invention in some embodiments Is 



equally applicable to fuel cell module and fuel cell system testing as it is to 
fuel cell stack testing. 

[0016] Fuel cells are commonly connected in series to form a fuel cell 
stack. The fuel cell stack provides a larger electric potential than a single fuel 
cell; and since the fuel cell stack effectively operates as one unit, a co- 
operative design for supporting systems and instrumentation required by the 
constituent fuel cells is possible. A fuel cell stack is typically enclosed In a 
single housing that is designed to include connections for piping, sensors, 
regulators (e.g. for temperature, pressure, relative-humidity, flow rate of fuels 
and coolant, etc.), and other instrumentation used to support the operation of 
the fuel cell stack. The fuel cell stack, housing, and associated combination of 
hardware, software and firmware make up a fuel cell module. 

[0017] Referring to Figure 1 , shown is a simplified schematic drawing of 
a fuel cell module 100 that will be described herein to illustrate some general 
considerations relating to the testing of fuel cell modules. It is to be 
understood that the present invention is applicable to the testing of various 
configurations of fuel cell modules that would each include a suitable 
combination of supporting systems, instrumentation, hardware, software, 
firmware and structural elements. 

[0018] As is known, there are a wide variety of different fuel cell 
technologies, and in general, this invention is expected to be applicable to any 
type of fuel cell, including alkaline, direct methanol, molten carbonate, 
phosphoric acid and solid oxide fuel cells. However, the invention has been 
developed for use with PEM (Proton Exchange Membrane) fuel cells, and is 
described in relation to a PEM fuel cell stack powered by hydrogen. 

[0019] The fuel cell module 100 has an anode 21 and a cathode 41. 
The anode 21 has a gas input port 22 and a gas output port 24. Similarly, the 
cathode 41 has a gas input port 42 and a gas output port 44. The fuel cell 100 
also includes a water Input/Output (I/O) port 31 through which water can be 
supplied to and/or removed from the fuel cell module 100. and commonly is 
supplied to humidifiers (not shown) for the incoming gas streams. The fuel cell 
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module 100 also includes a first catalyst 23 in close proximity to the anode 21 , 
a second catalyst 43 in close proximity to the cathode 41, and an electrolyte 
30 between the anode 21 and the cathode 41. Also shown in Figure 1 is a 
load 15 coupled between the anode 21 and the cathode 41. 

5 [0020] As noted above, a fuel cell is an electrochemical device that 
generates electricity from stored chemical energy in the fuels employed. 
Referring again to the fuel cell module 100, illustrated in Figure 1, hydrogen is 
introduced into the anode 21 via the gas Input port 22 under some 
predetermined conditions. Examples of the predetermined conditions may 
10 include factors such as flow rate, temperature, pressure, relative humidity and 
a mixture of the hydrogen with other gases. The hydrogen reacts 
electrochemically according to equation (1), given below, in the presence of 
the electrolyte 30 and the first catalyst 23. 

(1) H2 ^ 2H* + 2e- 

15 The products of equation (1) are hydrogen ions and electrons. The hydrogen 
ions pass through the electrolyte 30 to the cathode 41 while the electrons are 
drawn through the load 15. Un-reacted hydrogen and other gases are drawn 
out through gas output port 24. 

[0021] Simultaneously (to the reactions In the anode 21 described 
20 above) an oxidant, such as air, is introduced into the cathode 41 via the gas 
input port 42 under some predetermined conditions. Examples of the 
predetermined conditions may again include factors such as flow rate, 
temperature, pressure, relative humidity and a mixture of the oxidant with 
other gases. The oxidant reacts electrochemically according to equation (2), 
25 given below, in the presence of the electrolyte 30 and the second catalyst 43. 

(2) 1/202 + 2H* + 2e-^ H2O 

It can be noted from equation (2), that the electrons and the ionized hydrogen 
atoms, produced in equation (1) at the anode 21, are consumed In the 
reaction at the cathode 41. Excess gases, including un-reacted oxidant, and 



the generated water are drawn out of the cathode 41 through gas output port 
44. 

[0022] Generally, as mentioned above, other gases may be introduced 
into the anode and the cathode to mix with the hydrogen and oxidant, 
5 respectively. These other gases help to regulate the aforementioned 
electrochemical reactions and suppress any side reactions that may occur 
due to impurities and inefficiencies within a fuel cell module. Also, the addition 
of other gases would allow testing of the fuel cells under non-ideal conditions 
of reactant purity. Examples of other gases introduced Into the anode may 
10 include, but are not limited to, steam, methane, carbon monoxide, carbon 
dioxide, nitrogen and air. Similarly, examples of other gases introduced into 
the cathode may include, but are not limited to, steam, nitrogen, air, and 
helox. 

[0023] The process and operating parameters (such as temperature, 
15 internal pressures, electrical outputs, etc.) of a fuel cell module are closely 
monitored and regulated. Operating parameters of particular Interest include a 
voltage across each fuel cell in a fuel cell stack, commonly referred to as cell 
voltage, and an internal resistance of each fuel cell. Moreover, the process 
gases have to be delivered to a fuel cell module at respective flow rates and 
20 each having a corresponding temperature, pressure and relative humidity. 
The reaction products have to be removed from the fuel cell module. 
Monitoring and regulating all of these parameters ensures preferable 
performance of the fuel cell module for a given output demand required by a 
particular load. Thus, during the testing of a fuel cell module a number of the 
25 aforementioned process and operating parameters are varied and outputs are 
monitored to evaluate the performance the fuel cell module under different 
conditions, so that the preferable settings for the process and operating 
parameters can be ascertained for different loading conditions. 

[0024] An embodiment of a fuel cell testing system disclosed in U.S. 
30 Application No. 10/244,609 advantageously enables the use of user defined 
application programs (i.e. user applications or application programs) to 



automate the control of a fuel cell testing trial. The testing system, in some 
embodiments, incorporates a micro-controller (or microcomputer) that 
executes test instructions or test vectors in the user application (s), while 
simultaneously running a safety system. The role of the safety system Is to 
monitor the process and operating parameters and initiate an emergency 
shutdown of the testing system if one of a number of pre-programmed alarm 
thresholds is crossed during a trial. For example, emergency shutdown may 
occur if the operating temperature of the fuel cell module becomes 
exceedingly high due to an increased reaction rate caused by an oversupply 
of fuels into the anode(s) and/or cathode(s) of the constituent fuel cell(s). 

[0025] Violation of an alarm threshold during a trial is generally not 
predictable and one purpose of the testing process is to discover unknown 
design faults so that they may be corrected. In view of these factors and the 
rapid progress being made in this field, testing of a new fuel cell module 
design typically required a conservative approach so that a fuel cell module 
and/or a testing system was not damaged during a trail. Consequently, the 
testing of a new fuel cell module design had to be carried out with non- 
optimized monitoring and regulating computer control. 

[0026] Some embodiments of the present invention provide a system 

and method that incorporates a call to an alarm recovery sequence into a 
safety system for use within a fuel cell testing system. In other embodiments 
of the present invention there Is provided a safety system and method, for use 
within a fuel cell testing system, which Is able to suspend a (fuel cell testing) 
trial and initiate an alarm recovery sequence upon detecting that a 
corresponding alarm threshold has been violated. The safety system and 
method is then able to restart the trial if it is determined that the alarm 
recovery sequence was effective, in that the process and operating 
parameters that violated the particular alarm threshold(s) have been brought 
back to within a safe operating range. Various embodiments of the present 
invention may be advantageously integrated into various embodiments of the 
testing system disclosed in U.S. Application No. 10/244,609. 
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[0027] Referring now to Figure 2. shown is a schematic drawing of a 
simplified fuel cell testing system 200 coupled to the fuel cell module 100 
(illustrated in Figure 1). The testing system 200 shown in Figure 2 includes 
some basic features found in a practical fuel cell testing system. Those skilled 
in the art would appreciate that a practical testing system also includes a 
suitable combination of sensors, regulators (e.g. for temperature, pressure, 
humidity and flow rate control), control lines and supporting 
apparatus/instrumentation in addition to a suitable combination of hardware, 
software and firmware. Furthermore, it is also to be understood that the 
description provided herein, relating to the simplified testing system 200, is by 
no means meant to restrict the scope of the claims following this section. 
Again, this testing system is configured for a PEM-type fuel cell, and the 
sensors, regulators, etc. would need to be varied for other types of fuel cells. 

[0028] The testing system 200 includes a test controller 300 that is 
used to manage fuel cell testing by a skilled operator. In some embodiments 
the test controller 300 is made up of a single server or computer having at 
least one microcomputer; and, in other embodiments the test controller 300 Is 
made up of a combination of microcomputers appropriately configured to 
divide the tasks associated with fuel cell testing amongst the combination of 
microcomputers. 

[0029] In some embodiments the test controller 300 is made up of a 
computer usable medium having a computer readable code means, a 
modified safety system 370 and at least one application program 380. In the 
present embodiment of the Invention the test controller 300 includes a 
memory device (not shown) storing a computer readable code means having 
instructions for the modified safety system 370 and the at least one 
application program 380. The modified safety system 370, in accordance with 
an embodiment of the invention, is capable of calling an alarm recovery 
sequence in the event that a corresponding alarm threshold has been 
violated. The at least one application program 380 contains user designed 
test vectors for varying the process and operating parameters of a fuel cell 
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module under test. In some embodiments, application programs are made up 
of computer readable codes means having data and instructions for executing 
a sequence of test vectors defining a trial. 

[0030] The testing system 200 also includes a number of physical 
5 connections to ports of the fuel cell module 100 that are used to supply 
required gases and vent exhaust and un-used gases from the fuel cell module 
100. The physical connections include gas supply ports 222 and 242. gas 
exhaust ports 224 and 244 and a water supply exchange port 231. The gas 
supply ports 222 and 242 are coupled to the gas input ports 22 and 42 of the 
10 fuel cell module 100. respectively. The gas exhaust ports 224 and 244 are 
coupled to gas output ports 24 and 44 of the fuel cell module 100, 
respectively. The water supply exchange port 231 is coupled to the water I/O 
port 31 of the fuel cell module 100. 

[0031] Additionally, there are a number of sensor connections between 
15 the testing system 200 and the fuel cell module 100. The sensor connections 
are advantageously used to monitor reaction products and electrical outputs 
produced by the fuel cell module 100 as well as other process and operating 
parameters. In the present embodiment, the testing system 200 includes 
sensors 311, 313, 315, 317 and 319 that are connected to ports 222, 224, 
20 231 , 244 and 242 (of the fuel cell module 1 00), respectively. The sensors 311, 
313, 315, 317 and 319, may be used, for example, to monitor one or more of 
temperature, pressure, composition and relative humidity of Input and output 
gases or fluid flows through any of the ports 222, 224, 231, 244 and 242. 

[0032] The test controller 300 is also electrically connected to the 
25 regulators 310, 312, 314, 316 and 318 that are used to regulate process and 
operating parameters associated with ports 222, 224, 231, 244 and 242, 
respectively. 

[0033] Moreover, within the context of the testing system 200, the load 
15 shown in Figure 1, has been replaced by a loadbox 215. The voltage and 
30 current drawn by the loadbox 215 is controllable so that different loading 
conditions can be Imposed on the fuel cell module 100 during testing. 
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[0034] In operation the test controller 300 executes test vectors 
provided In the at least one application program 380. This Is done by 
extracting the test vectors from the at least one application program 380 and, 
in turn, varying the loading conditions provided by the loadbox 215 and/or 
5 other process and operating parameters in accordance with the test vectors 
provided. The later is accomplished by having the test controller 300 transmit 
control signals to the regulators 310. 312, 314, 316 and 318. The test 
controller 300 then receives measurements related to the reaction products, 
electrical outputs and/or other process and operating parameters from the 
10 sensors 311, 313, 315, 317 and 319. The measurements can be recorded 
and evaluated. 

[0035] During the testing process (i.e. a trial) alarm thresholds may be 
violated. Subsequently the testing process may unnecessarily be stopped 
short of completion by a safety system included in a testing system, such as 
15 the testing system 200. However, as noted above, embodiments of the 
present invention provide an alarm recovery system and method that can be 
automatically employed during a trial when an alarm threshold Is violated. 

[0036] Referring now to Figure 3, illustrated is a flow chart depicting the 

general steps provided in a first modified safety system according to one 

20 embodiment of the invention, and hereinafter simply referred to as the safety 
system. The safety system operates to monitor whether or not any of a 
number of alarm thresholds is violated during a trial, and if there is an alarm 
threshold violation the safety system responds as described below. The alarm 
thresholds at least partially define a safe operating range for the fuel cell and 

25 fuel cell testing system during a particular trial. The violation of an alarm 
threshold involves the measurement of one or more process and operating 
parameters, which are in turn appropriately considered by the safety system. 

[0037] Starting at step 3-1, the modified safety system is initialized 
when a fuel cell testing system is set-up to carryout trials on a fuel cell 
30 module. At such a point sensors and regulators associated with the testing 
system are calibrated and checked and the fuel cell module itself is connected 
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to the testing system. A trial begins with the execution of at least one 
application program (i.e. user defined application) having instructions for 
varying the process and operating parameters associated with a fuel cell 
module. The safety system continuously or intermittently runs during the 
course of the trial. In some embodiments the safety system, described herein 
with reference to Figure 3, includes a computer readable code means having 
instructions for monitoring, evaluating, interrupting and calling an alarm 
recovery sequence for a respective violated alarm threshold. 

[0038] At step 3-3, the safety system polls sensors connected to the 
fuel cell module thereby measuring process and operating parameters. Any 
parameter that can be measured that will in turn provide information leading to 
an indication of how the fuel cell module is operating falls within the scope of 
parameters that may be measured by the sensors. For example, measurable 
process and operating parameters may Include, but are not limited to, 
temperature of input and output gases, flow rates, reaction products and 
electrical outputs of the fuel cell module. Moreover, in some embodiments the 
safety system includes a computer readable code means having instructions 
for polling sensors to measure at least one process and operating parameter. 

[0039] At step 3-5 the safety system records and evaluates the sensor 
readings of the measured process and operating parameters. In some 
embodiments a log is maintained for such records so that such data can be 
analyzed at a later time. Then, at step 3-7, the safety system determines 
whether or not any of the measured process and operating parameters has 
violated any of the alarm thresholds. In some embodiments the safety system 
Includes a computer readable code means having instructions for recording 
and evaluating measured process and operating parameters. 

[0040] If none of the alarms thresholds have been violated (no path, 

step 3-7), it is assumed that the trial is proceeding within the safe operating 
ranges defined for the trial. Subsequently, the safety system loops back to 
step 3-3. On the other hand, if one or more of the alarm thresholds have been 
violated (yes path, step 3-7) the safety system proceeds to step 3-9. 
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[0041] At step 3-9, the safety program suspends the application 
program carrying out the test vectors for the current trial, so that the process 
and operating parameters that have violated the alarm threshold(s) do not 
worsen. At step 3-11, the safety system generates an alarm flag for each 
5 alarm threshold that has been violated. Each alarm flag is assigned a priority 
based on Its respective importance and/or how severe the damage caused by 
the alarm threshold violation might be if corrective action is not taken. One 
skilled in the art would appreciate that the order of steps 3-9 and 3-1 1 could 
be interchanged without departing from the scope of the present invention. 
10 Further, in some embodiments the safety system includes a computer 
readable code means for independently suspending an application program 
and/or generating priority sorted alarm flags for respective alarm thresholds 
that have been violated. 

[0042] In other embodiments, the alarm flags are not assigned a priority 
1 5 and each alarm flag is dealt with in order of occurrence. 

[0043] At step 3-13, the alarms flags are then processed in order of 
priority. That is, an alarm recovery sequence for the highest priority alarm flag 
Is activated. The alarm recovery sequence is advantageously in the form of a 
user defined alarm script that is called by the safety system. The alarm script 
20 Is, in some embodiments, in the form of a computer readable code means 
having instructions for carrying out the sequence steps that make up the 
alarm recovery sequence. A very specific example of an alarm script is 
provided below with respect to Figure 5. 

[0044] During step 3-15 the alarm recovery sequence is initiated by the 
25 safety system. The safety system continues to poll the sensors and monitor 
the process and operating parameters. That Is, the execution of a alarm 
recovery sequence Is treated the same as the execution of any other 
application program, which means that a particular alarm recovery sequence 
corresponding to an alarm flag with a respective priority may be interrupted 
30 and suspended if a higher priority alarm is generated by the safety system. 
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This aspect of the invention will be discussed further with reference to the flow 
chart illustrated in Figure 4. 

[0045] After the alarm recovery sequence has finished, the safety 
system loops back to step 3-3 after restarting the suspended application 
program (or alarm recovery sequence) from where it was suspended In step 
3-21. As described In the U.S. Application No. 10/244,609, which was 
incorporated by reference above, the safety system continues to monitor the 
alarm thresholds, as a part of a separate sub-routine (or sub-system), in order 
to enact a termination of the trial, which may still be necessary if the alarm 
recovery sequence was not effective. 

[0046] In the present embodiment of the invention, it is assumed that 
the alarm recovery sequence may have also had a positive effect on some or 
all of the other alarm flags generated. So instead of processing the lower 
priority alarm flags found at step 3-7, the safety program loops back to step 3- 
3 to poll the sensors again to retrieve a current measurement of the process 
and operating parameters. However, in alternative embodiments the lower 
priority flags may be processed before returning to step 3-3. Moreover, the 
execution of an alarm recovery sequence may be interrupted if a higher 
priority alarm flag is generated. 

[0047] Referring now to Figure 4, illustrated is a flow chart depicting the 
general steps provided In a second modified safety system according to 
another embodiment of the invention, and hereinafter simply referred to as the 
safety system. This safety system has the same practical purpose as the 
safety system described with respect to Figure 3. In fact, the steps 4-1 to 4-7 
are the same as step 3-1 to 3-7, respectively. 

[0048] Accordingly, at step 4-9, following from a positive indication at 
step 4-7 (yes path, step 4-7), the safety system generates at least one alarm 
interrupt with a respective priority in a similar manner to that which generated 
the alarm flags In step 3-9. In some embodiments the safety system includes 
a computer readable code means having instructions for generating alarm 
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interrupts with respective priorities corresponding to respective alarm 
thresholds that have be violated. 

[0049] Subsequently, at step 4-11 the at least one alarm interrupt is 
sent to an interrupt queue maintained and managed by the safety system. 
After the at least alarm interrupt is received into the Interrupt queue the safety 
system, at step 4-13. determines whether or not the at least alarm Interrupt 
has a priority that is higher than the highest interrupt in the queue. This would 
Include a corresponding alarm interrupt for a respective alarm recovery 
sequence that is currently being executed. If the at least one alarm interrupt 
does not (no path, step 4-13) have a higher priority than any other alarm 
interrupt in the queue, the safety system proceeds to step 4-23, in which the 
interrupt queue is sorted into an order (i.e. ascending or descending) based 
on priority. Similar to what was noted above, in alternative embodiments, the 
alarm interrupts may not be assigned a priority, and in which case, the alarm 
interrupts would be processed in order of occurrence. The safety program 
then proceeds back to step 4-3. In some embodiments the safety system 
Includes a computer readable codes means having instructions for 
maintaining and managing an interrupt queue as described herein. On the 
other hand, if the at least one alarm Interrupt has the highest priority in the 
Interrupt queue (yes path, step 4-13) the safety system proceeds to step 4-15. 

[0050] At step 4-15 the currently executing application program or 
another alarm recovery sequence is suspended and a respective alarm 
recovery sequence corresponding to the at least one alarm Interrupt is 
initiated by the safety program. After the respective alarm recovery sequence 
has finished executing, the safety system determines whether or not the 
process and operating parameters that resulted in the at least one alarm 
interrupt have changed to safer values. This process is similar to what was 
described above with respect to Figure 3. Subsequently, the safety system 
proceeds to step 4-3 after restarting the suspended application program (or 
alarm recovery sequence) from where it was suspended in step 4-25. 
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[0051] Again, as described in the U.S. Application No. 10/244,609, 
which was incorporated by reference above, the safety system continues to 
monitor the alarm thresholds, as a part of a separate sub-routine (or sub- 
system), in order to enact a termination of the trial, which may still be 
5 necessary if the alarm recovery sequence was not effective. 

[0052] Moreover, it should again be noted that an alarm recovery 
sequence is advantageously interruptible by some other alarm recovery 
sequence that has a respective alarm interrupt with a higher priority than the 
currently executing alarm recovery sequence. 

10 [0053] As described above, the role of the safety system is to monitor 
the process and operating parameters and initiate a respective alarm recovery 
sequence if one of a number of pre-programmed alarm thresholds is crossed 
during a trial. Emergency shutdown of the testing system is initiated if the 
alarm recovery sequence is deemed to have been Ineffective. 

15 [0054] For example, an alarm threshold may be violated if the operating 

temperature of the fuel cell module becomes exceedingly high due to an 
increased reaction rate caused by an oversupply of fuels into the anode(s) 
and/or cathode(s) of the constituent fuel cell(s). Referring now to Figure 5, 
illustrated is a flow chart depicting a very specific example of an alarm 

20 recovery sequence that may be initiated in response to the violation of the 
aforementioned alarm threshold associated with over heating of a fuel cell 
module under test. Those skilled in the art would appreciate that numerous 
other alarm recovery sequences could be provided for the aforementioned 
alarm threshold and/or numerous other alarm thresholds provided to ensure 

25 the safe operation of a fuel cell under test. 

[0055] Starting at step 5-1 , the alarm recovery sequence is initiated by 
a modified safety system provided by an embodiment of the invention. In this 
step, control of regulating devices provided in a testing system is transferred 
to the alarm recovery sequence. At step 5-3 an electrical load provided by a 
30 loadbox is reduced so as to reduce the amount of current required. 
Subsequently, at step 5-5 the temperature of incoming coolant is decreased, 
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and, then at step 5-7, the speed of cooling fans or pumps within the testing 
system and/or the fuel cell is turned up to provide additional heat dissipation. 
Finally, at step 5-9 the alarm recovery sequence ends and control of the 
regulating devices is transferred from the alarm recovery sequence. For 
example, in a REM fuel cell, the active membrane is sensitive to temperature. 
Thus, a final alarm threshold could be set for a maximum normal operating 
temperature. If this is exceeded, the steps of Figure 5 are initiated. If these fail 
to bring the temperature down, and the temperature rises above a second, 
higher threshold, indicative of possible or incipient damage to the membrane, 
then the fuel cell stack is shut down, so as (i) to prevent damage to the 
membrane and (ii), recognizing that damage may have occurred, to enable 
the fuel cell stack to be checked before restarting the test. 

[0056] In some embodiments a computer readable code means is 
provided having instructions for transferring control of regulating devices to 
and from an alarm recovery sequence initiated by a modified safety program 
provided by an embodiment of the invention. However, it should be noted that, 
in general, the safety program retains an override control over such controls 
regardless of whether an alarm recovery sequence is executing or an 
application program is executing. 

[0057] Numerous modifications and variations of the present invention 

are possible in light of the above teachings. It is therefore to be understood 
that within the scope of the appended claims, the invention may be practiced 
otherwise than as specifically described herein. For example, in some 
embodiments, depending upon the specific alarm threshold, an alarm 
threshold may have multiple levels. For example there may be a first and a 
second level related to a particular alarm threshold. In such a situation a 
corresponding alarm recovery script may be called after the violation of the 
first level and a second set of actions may occur after the violation of the 
second level. The second set of actions may include the initialization of a 
second alarm recovery sequence or simply result in the termination of a trial. 



